What is The Likelihood of the Blaser Worm having Something to do With the Power Outages?

This idea was expressed in a snippet on the radio and I was wondering if
it's really so far fetched... It was a nasty worm and caused me quite a bit
of trouble myself, amazing that it was able to enter my computer directly
without any action on my part except for logging onto the internet...

Advertisements

In article <4Bt%a.25650$>, says...
> This idea was expressed in a snippet on the radio and I was wondering if
> it's really so far fetched... It was a nasty worm and caused me quite a bit
> of trouble myself, amazing that it was able to enter my computer directly
> without any action on my part except for logging onto the internet...
>
Jezus christ!

Well, yeah, it could have caused it if the US energy companies employ
people stupid enough to believe that windows is secure and doesn;t need
patching, people that are actually surprised that something nasty
happens if the leave port 135 open.

Advertisements

The Blaster worm is/was aimed at Microsoft *Windows* Update - it
was set to perform a DoS on a particular MS url (which MS pulled).
There are variations, which install trojans, but I find it hard to believe
that it had *anything* to do with the blackouts - even the DoS against
Microsoft was a failure.

On Sat, 16 Aug 2003 17:11:28 GMT, in
<4Bt%a.25650$>
Nicole Kidman scrawled:
>This idea was expressed in a snippet on the radio and I was wondering if
>it's really so far fetched... It was a nasty worm and caused me quite a bit
>of trouble myself, amazing that it was able to enter my computer directly
>without any action on my part except for logging onto the internet...
>

In article <>, says...
> The Blaster worm is/was aimed at Microsoft *Windows* Update - it
> was set to perform a DoS on a particular MS url (which MS pulled).
> There are variations, which install trojans, but I find it hard to believe
> that it had *anything* to do with the blackouts - even the DoS against
> Microsoft was a failure.
>
>
> On Sat, 16 Aug 2003 17:11:28 GMT, in
> <4Bt%a.25650$>
> Nicole Kidman scrawled:
>
> >This idea was expressed in a snippet on the radio and I was wondering if
> >it's really so far fetched... It was a nasty worm and caused me quite a bit
> >of trouble myself, amazing that it was able to enter my computer directly
> >without any action on my part except for logging onto the internet...
> >
>
>

But dont forget that the Powerstations used SCADA systems, which all
communicate via DCOM, and if that got taken out, and all comms went in
the SCADA systems, the plants would shut down.

On Sat, 16 Aug 2003 19:48:49 +0100, in
<>
Michael Thompson scrawled:
>In article <>,
> says...
>> The Blaster worm is/was aimed at Microsoft *Windows* Update - it
>> was set to perform a DoS on a particular MS url (which MS pulled).
>> There are variations, which install trojans, but I find it hard to believe
>> that it had *anything* to do with the blackouts - even the DoS against
>> Microsoft was a failure.
>>
>>
>> On Sat, 16 Aug 2003 17:11:28 GMT, in
>> <4Bt%a.25650$>
>> Nicole Kidman scrawled:
>>
>> >This idea was expressed in a snippet on the radio and I was wondering if
>> >it's really so far fetched... It was a nasty worm and caused me quite a bit
>> >of trouble myself, amazing that it was able to enter my computer directly
>> >without any action on my part except for logging onto the internet...
>> >
>>
>
>But dont forget that the Powerstations used SCADA systems, which all
>communicate via DCOM, and if that got taken out, and all comms went in
>the SCADA systems, the plants would shut down.

In article <>, says...
> In article <>,
> says...
> > The Blaster worm is/was aimed at Microsoft *Windows* Update - it
> > was set to perform a DoS on a particular MS url (which MS pulled).
> > There are variations, which install trojans, but I find it hard to believe
> > that it had *anything* to do with the blackouts - even the DoS against
> > Microsoft was a failure.
> >
> >
> > On Sat, 16 Aug 2003 17:11:28 GMT, in
> > <4Bt%a.25650$>
> > Nicole Kidman scrawled:
> >
> > >This idea was expressed in a snippet on the radio and I was wondering if
> > >it's really so far fetched... It was a nasty worm and caused me quite a bit
> > >of trouble myself, amazing that it was able to enter my computer directly
> > >without any action on my part except for logging onto the internet...
> > >
> >
> >
>
>
> But dont forget that the Powerstations used SCADA systems, which all
> communicate via DCOM, and if that got taken out, and all comms went in
> the SCADA systems, the plants would shut down.
>

QUOTE:

I believe that the outage was caused by the MSblaster, or its
mutation, which was besieged upon the respective vulnerability
in certain control and monitoring systems (SCADA and otherwise)
running MS 2000 or XP, located different points along the Grid.
Some of these systems are accessible via the Internet, while
others are accessible by POTS dialup, or private Frame relay and
dedicated connectivity.

Being an old PLC automation and control hack let me say that
there is a very good plausibility that the recent East Coast
power outage was due to an attack by an MBlaster variant on the
SCADA system at the power plant master terminal, or more likely
at several of the remote terminal units "RTU". SCADA runs under
Win2000 / XP and the telemetry to the RTU is accessible via the
Internet.

From what I recall SCADA based monitoring and control systems
were installed at many water / sewer processing, gas and oil
processing, and hydro-electric plants.

I also believe that yesterdays flooding of a generator sub-
facility in Philadelphia was also due to an MBlaster variant
attack on the SCADA or similarly Win 2000 / XP based system.

To make things worst, the Web Interface is MS ActiveX. Now lets
see, how can one craft an ActiveX vuln vector into the blaster?

Oh, and for the wardrivers, SCADA can be access via wireless
connections on the road? puts a new perspective on sniffing
around sewer plants.

It is also reasonable to assume that we could have a similar
security threat regarding those system (SCADA and otherwise
based on MS 2000 or XP) involved in the control, data
acquisition, and maintenance of other critical infrastructure,
such as inter/intra state GAS Distribution, Nuclear Plant
Monitoring, Water and Sewer Processing, and city Traffic
Control. IMO

I think we will see a lot of finger pointing by government
agencies, Utilities, and politicians for the Grid outage, until
someone confess to the security dilemma and vulnerabilities in
the systems which are involved in running this critical
infrastructure.

Regardless of whether the Grid outage can be attributed to the
blaster or its variant, this is not entirely a Microsoft
problem, as it reeks of poor System Security Engineering
practiced by the Utility Companies, and associated equipment and
technology suppliers.

Nonetheless, the incident will cause lots of money to be
earmarked by the US and Canadian Governments, to be spent in an
attempt to solve the problem, or more specifically calm the
public.

This incident should be fully investigated, and regulations
passed to ensure that the Utility companies and their suppliers
develop and implement proper safeguards that will help prevent
or at least significantly mitigate the effects of such a
catastrophe.

Conversely, I do not want to see our Government directly
involved in yet another "business", which has such a controlling
impact over our individual lives.

On Sat, 16 Aug 2003 20:52:52 +0100, Michael Thompson wrote:
> In article <>,
> says...
>> In article <>,
>> says...
>> > The Blaster worm is/was aimed at Microsoft *Windows* Update - it
>> > was set to perform a DoS on a particular MS url (which MS pulled).
>> > There are variations, which install trojans, but I find it hard to believe
>> > that it had *anything* to do with the blackouts - even the DoS against
>> > Microsoft was a failure.
>> >
>> >
>> > On Sat, 16 Aug 2003 17:11:28 GMT, in
>> > <4Bt%a.25650$>
>> > Nicole Kidman scrawled:
>> >
>> > >This idea was expressed in a snippet on the radio and I was wondering if
>> > >it's really so far fetched... It was a nasty worm and caused me quite a bit
>> > >of trouble myself, amazing that it was able to enter my computer directly
>> > >without any action on my part except for logging onto the internet...
>> > >
>> >
>> >
>>
>>
>> But dont forget that the Powerstations used SCADA systems, which all
>> communicate via DCOM, and if that got taken out, and all comms went in
>> the SCADA systems, the plants would shut down.
>>
>
> QUOTE:

Where is this quote from?
>
> I believe that the outage was caused by the MSblaster, or its
> mutation, which was besieged upon the respective vulnerability
> in certain control and monitoring systems (SCADA and otherwise)
> running MS 2000 or XP, located different points along the Grid.
> Some of these systems are accessible via the Internet, while
> others are accessible by POTS dialup, or private Frame relay and
> dedicated connectivity.
>
> Being an old PLC automation and control hack let me say that
> there is a very good plausibility that the recent East Coast
> power outage was due to an attack by an MBlaster variant on the
> SCADA system at the power plant master terminal, or more likely
> at several of the remote terminal units "RTU". SCADA runs under
> Win2000 / XP and the telemetry to the RTU is accessible via the
> Internet.
>
> From what I recall SCADA based monitoring and control systems
> were installed at many water / sewer processing, gas and oil
> processing, and hydro-electric plants.
>
> I also believe that yesterdays flooding of a generator sub-
> facility in Philadelphia was also due to an MBlaster variant
> attack on the SCADA or similarly Win 2000 / XP based system.
>
> To make things worst, the Web Interface is MS ActiveX. Now lets
> see, how can one craft an ActiveX vuln vector into the blaster?
>
> Oh, and for the wardrivers, SCADA can be access via wireless
> connections on the road? puts a new perspective on sniffing
> around sewer plants.
>
> It is also reasonable to assume that we could have a similar
> security threat regarding those system (SCADA and otherwise
> based on MS 2000 or XP) involved in the control, data
> acquisition, and maintenance of other critical infrastructure,
> such as inter/intra state GAS Distribution, Nuclear Plant
> Monitoring, Water and Sewer Processing, and city Traffic
> Control. IMO
>
> I think we will see a lot of finger pointing by government
> agencies, Utilities, and politicians for the Grid outage, until
> someone confess to the security dilemma and vulnerabilities in
> the systems which are involved in running this critical
> infrastructure.
>
> Regardless of whether the Grid outage can be attributed to the
> blaster or its variant, this is not entirely a Microsoft
> problem, as it reeks of poor System Security Engineering
> practiced by the Utility Companies, and associated equipment and
> technology suppliers.
>
> Nonetheless, the incident will cause lots of money to be
> earmarked by the US and Canadian Governments, to be spent in an
> attempt to solve the problem, or more specifically calm the
> public.
>
> This incident should be fully investigated, and regulations
> passed to ensure that the Utility companies and their suppliers
> develop and implement proper safeguards that will help prevent
> or at least significantly mitigate the effects of such a
> catastrophe.
>
> Conversely, I do not want to see our Government directly
> involved in yet another "business", which has such a controlling
> impact over our individual lives.

On Sat, 16 Aug 2003 20:52:52 +0100, in
<>
Michael Thompson scrawled:
>In article <>,
> says...
>> In article <>,
>> says...
>> > The Blaster worm is/was aimed at Microsoft *Windows* Update - it
>> > was set to perform a DoS on a particular MS url (which MS pulled).
>> > There are variations, which install trojans, but I find it hard to believe
>> > that it had *anything* to do with the blackouts - even the DoS against
>> > Microsoft was a failure.
>> >
>> >
>> > On Sat, 16 Aug 2003 17:11:28 GMT, in
>> > <4Bt%a.25650$>
>> > Nicole Kidman scrawled:
>> >
>> > >This idea was expressed in a snippet on the radio and I was wondering if
>> > >it's really so far fetched... It was a nasty worm and caused me quite a bit
>> > >of trouble myself, amazing that it was able to enter my computer directly
>> > >without any action on my part except for logging onto the internet...
>> > >
>> >
>> >
>>
>>
>> But dont forget that the Powerstations used SCADA systems, which all
>> communicate via DCOM, and if that got taken out, and all comms went in
>> the SCADA systems, the plants would shut down.
>>
>
>QUOTE:

In article <>,lid says...
> On Sat, 16 Aug 2003 20:52:52 +0100, Michael Thompson wrote:
> > In article <>,
> > says...
> >> In article <>,
> >> says...
> >> > The Blaster worm is/was aimed at Microsoft *Windows* Update - it
> >> > was set to perform a DoS on a particular MS url (which MS pulled).
> >> > There are variations, which install trojans, but I find it hard to believe
> >> > that it had *anything* to do with the blackouts - even the DoS against
> >> > Microsoft was a failure.
> >> >
> >> >
> >> > On Sat, 16 Aug 2003 17:11:28 GMT, in
> >> > <4Bt%a.25650$>
> >> > Nicole Kidman scrawled:
> >> >
> >> > >This idea was expressed in a snippet on the radio and I was wondering if
> >> > >it's really so far fetched... It was a nasty worm and caused me quite a bit
> >> > >of trouble myself, amazing that it was able to enter my computer directly
> >> > >without any action on my part except for logging onto the internet...
> >> > >
> >> >
> >> >
> >>
> >>
> >> But dont forget that the Powerstations used SCADA systems, which all
> >> communicate via DCOM, and if that got taken out, and all comms went in
> >> the SCADA systems, the plants would shut down.
> >>
> >
> > QUOTE:
>
> Where is this quote from?
>
> >
> > I believe that the outage was caused by the MSblaster, or its
> > mutation, which was besieged upon the respective vulnerability
> > in certain control and monitoring systems (SCADA and otherwise)
> > running MS 2000 or XP, located different points along the Grid.
> > Some of these systems are accessible via the Internet, while
> > others are accessible by POTS dialup, or private Frame relay and
> > dedicated connectivity.
> >
> > Being an old PLC automation and control hack let me say that
> > there is a very good plausibility that the recent East Coast
> > power outage was due to an attack by an MBlaster variant on the
> > SCADA system at the power plant master terminal, or more likely
> > at several of the remote terminal units "RTU". SCADA runs under
> > Win2000 / XP and the telemetry to the RTU is accessible via the
> > Internet.

The quote was from a private email, from a friend when I used to be a
SCADA process engineer. We were just discussing the possibility.

°Mike° wrote:
> On Sat, 16 Aug 2003 20:52:52 +0100, in
> <>
> Michael Thompson scrawled:
>
>>In article <>,
>> says...
>>> In article <>,
>>> says...
>>> > The Blaster worm is/was aimed at Microsoft *Windows* Update - it
>>> > was set to perform a DoS on a particular MS url (which MS pulled).
>>> > There are variations, which install trojans, but I find it hard to
>>> > believe that it had *anything* to do with the blackouts - even the DoS
>>> > against Microsoft was a failure.
>>> >
>>> >
>>> > On Sat, 16 Aug 2003 17:11:28 GMT, in
>>> > <4Bt%a.25650$>
>>> > Nicole Kidman scrawled:
>>> >
>>> > >This idea was expressed in a snippet on the radio and I was wondering
>>> > >if it's really so far fetched... It was a nasty worm and caused me
>>> > >quite a bit of trouble myself, amazing that it was able to enter my
>>> > >computer directly without any action on my part except for logging
>>> > >onto the internet...
>>> > >
>>> >
>>> >
>>>
>>>
>>> But dont forget that the Powerstations used SCADA systems, which all
>>> communicate via DCOM, and if that got taken out, and all comms went in
>>> the SCADA systems, the plants would shut down.
>>>
>>
>>QUOTE:
>
> Source?
>
> <snip>
>
Whatever the source, it makes sense to me and I'd suspected this even before
I heard of the speculations from other sources. And don't (as some earlier
poster did) credit the power companies with THAT much intelligence: people
are stupid.

<snip>
>> Well, it doesn't make sense to me.
>
>Um, what's difficult about this:
>1. Computer running XP is used as in a control system for a power grid.
>2. Said computer gets the worm, crashes, and keeps crashing due to the worm.
>3. The associated power grid goes down because its control has failed. This
>is called a "fail-safe," which prevents things from running out of control
>when there is no way to control them.

There's only one problem with that scenario; why was *only* eastern
USA and Canada affected? I'm afraid that just doesn't wash.

Also...

"We are now fairly certain this disturbance started in Ohio," said Michehl
R. Gent, the president and chief executive officer of the North American
Electric Reliability council."

"More than 100 power plants, including 22 nuclear reactors in the United
States and Canada, were shut down to protect them from damage that
could have come from power surges. Most of the shutdowns occurred
by safety systems that were automatically deployed.

Industry officials are trying to understand why the failure of the lines in
the Cleveland area caused the service disruption to spread throughout
much of the Northeast, the Midwest, and Ontario. The transmission
system was supposed to isolate problems, Mr. Gent said."

On Sun, 17 Aug 2003 09:12:22 -0400, in
<3f3f7ebf$0$52147$>
Thund3rstruck scrawled:
>°Mike° Spilled my beer when they jumped on the table and proclaimed
>in <>:
>
>>
>> There's only one problem with that scenario; why was *only* eastern
>> USA and Canada affected? I'm afraid that just doesn't wash.
>
> Agreed there. If it was the worm, why wasn't the rest of the US
>affected?

More to the point, why weren't more countries (not just the US
and Canada) affected?

°Mike° Spilled my beer when they jumped on the table and proclaimed
in <3f4f8ac7.15442926@localhost>:
> More to the point, why weren't more countries (not just the US
> and Canada) affected?

Except for Third World countries,(Who probably have older,
non-computer controlled systems, if they exist at all. <G>) I have to
agree also. According to isc.incidents.org, port 135 accounts for a
tremendous amount of attempts over the last 24 hours... That's one
the original Blaster goes after, IIRC.

Just watched the CBS Sunday morning news show. One of the guys
chronicled his trip home last Thurs. Quit an interesting trip.

Interesting how much NYC has changed over the last 2 years, for the
better. (He got some free beer on the way, too. <G>)

This is the Flibbydabby Dee service of the BBC, & on Sun, 17 Aug 2003 10:27:20
-0500, The Old Sourdough uttered this:
>On Sun, 17 Aug 2003 14:42:30 GMT in 24hoursupport.helpdesk, my mind boggled
>at the following statement by Thund3rstruck in message
>news:3f3f93e0$0$13063$
>
>snip
>> Interesting how much NYC has changed over the last 2 years, for the
>> better. (He got some free beer on the way, too. <G>)
>>
>> NOI
>>
>
>Ever noticed how much better the BEER!!11!! tastes whenever someone else
>buys, no matter the brand?

This is the Flibbydabby Dee service of the BBC, & on Sun, 17 Aug 2003 10:42:30
-0400, Thund3rstruck uttered this:
>Â°MikeÂ° Spilled my beer when they jumped on the table and proclaimed
>in <3f4f8ac7.15442926@localhost>:
>
>> More to the point, why weren't more countries (not just the US
>> and Canada) affected?
>
> Except for Third World countries,(Who probably have older,
>non-computer controlled systems, if they exist at all. <G>) I have to
>agree also. According to isc.incidents.org, port 135 accounts for a
>tremendous amount of attempts over the last 24 hours... That's one
>the original Blaster goes after, IIRC.
>
> Just watched the CBS Sunday morning news show. One of the guys
>chronicled his trip home last Thurs. Quit an interesting trip.
>
> Interesting how much NYC has changed over the last 2 years, for the
>better. (He got some free beer on the way, too. <G>)
>
> NOI

William Poaster Spilled my beer when they jumped on the table and
proclaimed in <>:
> This is the Flibbydabby Dee service of the BBC, & on Sun, 17 Aug
> 2003 10:27:20 -0500, The Old Sourdough uttered this:
>>Ever noticed how much better the BEER!!11!! tastes whenever someone
>>else buys, no matter the brand?
>
> BEER!! Mmmmmm!!

On Sat, 16 Aug 2003 17:11:28 GMT, "Nicole Kidman" <> wrote:
>This idea was expressed in a snippet on the radio and I was wondering if
>it's really so far fetched... It was a nasty worm and caused me quite a bit
>of trouble myself, amazing that it was able to enter my computer directly
>without any action on my part except for logging onto the internet...

William Poaster <> wrote:
>This is the Flibbydabby Dee service of the BBC, & on Sun, 17 Aug 2003 10:42:30
>-0400, Thund3rstruck uttered this:
>
>>°Mike° Spilled my beer when they jumped on the table and proclaimed
>>in <3f4f8ac7.15442926@localhost>:
>>
>>> More to the point, why weren't more countries (not just the US
>>> and Canada) affected?
>>
>> Except for Third World countries,(Who probably have older,
>>non-computer controlled systems, if they exist at all. <G>) I have to
>>agree also. According to isc.incidents.org, port 135 accounts for a
>>tremendous amount of attempts over the last 24 hours... That's one
>>the original Blaster goes after, IIRC.
>>
>> Just watched the CBS Sunday morning news show. One of the guys
>>chronicled his trip home last Thurs. Quit an interesting trip.
>>
>> Interesting how much NYC has changed over the last 2 years, for the
>>better. (He got some free beer on the way, too. <G>)
>>
>> NOI
>
>Well here's a laugh! ( If it's true )
>
>In the Dutch press, there is a news item that MicroSoft has moved it's
>updatesite to.............a Linux environment!!!
>http://www.webwereld.nl/nav/nb?15952

"A man, a plan, a canoe, pasta, heros, rajahs,
a coloratura, maps, snipe, percale, macaroni,
a gag, a banana bag, a tan, a tag, a banana bag
again (or a camel), a crepe, pins, Spam, a rut,
a Rolo, cash, a jar, sore hats, a peon, a canal
- Panama!"

Share This Page

Welcome to Velocity Reviews!

Welcome to the Velocity Reviews, the place to come for the latest tech news and reviews.

Please join our friendly community by clicking the button below - it only takes a few seconds and is totally free. You'll be able to chat with other enthusiasts and get tech help from other members.
Sign up now!